Full Disclosure mailing list archives
Re: Correction to latest Colsaire advisories
From: "advisories" <advisories () corsaire com>
Date: Tue, 14 Sep 2004 11:03:31 +0100
# I've already sent this to the list once already, but it seems to have got lost somewhere along the way. If it does show up at some point; apologies in advance for the repeat posting. It's always good to be correct(ness). At the time the research was conducted (August 2003) we obviously looked around for as much information as possible prior to commencing. There were a number of individual MIME issues around, but most were single-product vulnerabilities. If the 3APA3A white paper you refer to was in existence at this time, it was not one we encountered. It has also been recently updated to include the latest information, so I can not comment on its previous content. The Corsaire research project produced test cases for around 200 working attack vectors, that when passed through the top 10 content products produced over 800 individual vulnerabilities (needless to point out that there are a lot more than 10 products in this arena). When we approached Mitre in regard to organising CVE numbers, it was clear that there were far too many issues to allocate individually, so it was agreed to pursue the same route as the SNMP issue from several years ago (http://www.cert.org/advisories/CA-2002-03.html) and group them into manageable chunks; this is what produced the broad category based advisories. The use of the categories then isn't an attempt to assume credit for anyone else's work (if such exists), but to manage the volume of issues identified. In regard to the 3APA3A white paper itself, it is true that there is some overlap with the Corsaire advisory categories. However the actual test cases provided to the vendors (plus unpublished advisories) contain literally dozens of issues that are not documented within the 3APA3A white paper at all. If anyone were to claim that the 3APA3A white paper is in any way complete, fully researched and definitive, it would simply be untrue. Regards, Martin O'Neal Colsaire (chopped cabbage & onion; pirate style) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Correction to latest Colsaire advisories 3APA3A (Sep 13)
- Re: Correction to latest Colsaire advisories Andreas Marx (Sep 15)
- <Possible follow-ups>
- Re: Correction to latest Colsaire advisories advisories (Sep 14)
- Re[2]: Correction to latest Colsaire advisories 3APA3A (Sep 14)
- Re[3]: Correction to latest Colsaire advisories advisories (Sep 14)
- Re[4]: Correction to latest Colsaire advisories 3APA3A (Sep 14)